CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1

Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities IP spoofing TCP attacks SYN flooding attack TCP RST attack TCP Session Hijacking ARP cache poisoning ICMP attacks Summary Recap: The Security Life-Cycle Threats Policy Specification Design Implementation Operation and Maintenance 2

Threat, Vulnerability, and Attack A threat is a potential violation of security Flaws in design, implementation, and operation Vulnerability! An attack is any action that violates security Active vs. passive attacks Vulnerability Definition Vulnerability, security flaw: failure of security policies, procedures, and controls that allow a subject to commit an action that violates the security policy Subject is called an attacker Using the failure to violate the policy is exploiting the vulnerability or breaking in 3

Vulnerability Analysis Vulnerability analysis (vulnerability assessment), is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure Vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use Typical Steps Defining and classifying network or system resources Assigning relative levels of importance to the resources Identifying potential threats to each resource Developing a strategy to deal with the most serious potential problems first Defining and implementing ways to minimize the consequences if an attack occurs 4

Limited Scope in This Class We focus on understanding the generic vulnerabilities inside commonly used TCP/IP protocols Homework 4 will be based on this content. TCP/IP VULNERABILITY EXAMPLES 5

TCP/IP Stack and Example Protocols e.g., DNS e.g., TCP, UDP e.g., IP, ICMP e.g., ARP Identify Targets: Port Scanning Ports dynamically address ("bind") IP packets to a process Socket data structures keep the mapping information Need to "bind" a socket (port) to a process Ports range from 0 to 65535 Ports 0-1023 are reserved for well-known services Require root (in UNIX) access to listen on those ports UDP and TCP ports Usually the same port number is assigned to a service for both UDP and TCP (if the service can use both) Tools: NMAP E.g, run "nmap -ss 127.0.0.1" Does a SYN scan More: TCP connect, FIN, Ping, UDP 6

Identify Targets: OS Fingerprinting OS Fingerprinting is a method of detecting the remote host s operating system using information leaked by that host s TCP stack. To do this, we use: the responses it gives to carefully crafted packets (active mode) usually with an invalid/strange set of options (which is where OS vendors usually differ in implementation), and see what happens. or by observing captured network traffic (passive mode). These methods are possible because each OS implements their TCP stack differently. OS Fingerprinting (ab)uses these differences Example Methods Used in Nmap The FIN probe Send a FIN packet (or any packet without an ACK or SYN flag) to an open port and wait for a response. The correct RFC 793 behavior is to NOT respond, but many broken implementations such as MS Windows, BSDI, CISCO, and IRIX send a RESET back IPID sampling TCP Initial Window TCP Options 7

EXAMPLE: IP SPOOFING IP Protocol Header 8

Threat Examples - IP Spoofing A common first step to many threats Source IP address cannot be trusted! SRC: source DST: destination IP Header IP Payload SRC: 18.31.10.8 DST: 128.194.7.237 Is it really from MIT? Similar to US Mail (or E-mail) From: Guofei Gu TAMU To: William Smith M.I.B. Corp. US mail maybe better in the sense that there is a stamp put on the envelope at the location (e.g., town) of collection... 9

Most Routers Only Care About Destination Address 128.59.10.xx Rtr src:128.59.10.8 dst:128.194.7.237 Columbia Rtr 128.194.xx.xx 36.190.0.xx Stanford Rtr src:128.59.10.8 dst:128.194.7.237 TAMU Why Should I Care? Attack packets with spoofed IP address help hide the attacking source. A smurf attack launched with your host IP address could bring your host and network to their knees. Higher protocol layers (e.g., TCP) help to protect applications from direct harm, but not enough. 10

Current IPv4 Infrastructure No authentication for the source Various approaches exist to address the problem: Router/firewall filtering TCP handshake Router Filtering Decide whether this packet, with certain source IP address, should come from this side of network. Hey, you shouldn t be here! 36.190.0.xx Stanford Rtr src:128.59.10.8 dst:128.194.7.237 Local policy 11

Router Filtering Very effective for some networks (ISP should always do that!) At least be sure that this packet is from some particular subnet Problems: Hard to handle frequent add/delete hosts/subnets or mobileip Upsets customers should legitimate packets get discarded Need to trust other routers EXAMPLE: TCP ATTACKS 12

TCP Protocol Header 0 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 Source Port Destination Port Sequence Number Acknowledgement Number Data Offset - - - - Window Checksum Urgent Pointer Options (0 to 10 Words of 32 Bits) TCP Payload TCP Handshake client SYN seq=x server SYN seq=y, ACK x+1 ACK y+1 connection established 13

TCP Flow Control How much can a sender send at a time? The more can be sent, the more efficient the network is Fewer header bytes, media contention delays, etc... TCP "Window" With every ACK, the receiver indicates how many more bytes it is prepared to receive Acknowledgement Number Window TCP Stream Increasing numbers Maximum Window Sequence Number TCP Sequence Numbers Every new connection gets a new initial sequence number (ISN) For both sides of the connection ISNs are exchanged (jargon: streams are "synchronized") in the initial SYN handshake TCP packets with sequence numbers outside the window are ignored This makes attacks on TCP applications harder than if they used UDP 14

TCP Handshake 128.59.10.xx Rtr seq=y, ACK x+1 Columbia Rtr 128.194.xx.xx 36.190.0.xx Stanford Rtr x TAMU The handshake prevents the attacker src:128.59.10.8 from establishing a TCP connection dst:128.194.7.237 pretending to be 128.59.10.8 TCP Handshake Very effective for stopping most such attacks Problems: The attacker can succeed if y can be predicted Other DoS attacks are still possible (e.g., TCP SYNflood) 15

SYN Flooding Attack This exploits how the 3-way handshake of TCP services for opening a session works. SYN packets are sent to the target node with incomplete source IP addresses The node under attack sends an ACK packet and waits for response Since the request has not been processed, it takes up memory Many such SYN packets clog the system and take up memory Eventually the attacked node is unable to process any requests as it runs out of memory storage space SYN Flooding Attack 90% of DoS attacks use TCP SYN floods Streaming spoofed TCP SYNs Takes advantage of three way handshake Server start half-open connections These build up until queue is full and all additional requests are blocked Solution? 16

General idea TCP SYN cookies Client sends SYN w/ ACK number Server responds to Client with SYN-ACK cookie sqn = f(src addr, src port, dest addr, dest port, rand) Server does not save state Honest client responds with ACK(sqn+1) Server checks response If matches SYN-ACK, establishes connection TCP RST Attack Send a RST (TCP RESET flag) packet with a spoofed IP address to either side of a valid connection Need to guess a sequence number inside the appropriate window Or sniff traffic to know which number to use The range can be guessed fairly efficiently for RST attacks Sequence numbers: 32 bits Window size: up to 16 bits Number of guesses 32-16 = 16 bit address space 65535 RST attempts, ~ 4 min on DSL connection Faster connection or zombies, faster RST This is the brute force RST attack 17

IP Spoofing & TCP Session Hijacking X establishes a TCP connection with B assuming A s IP address A (1) SYN Flood (4) SYN(seq=n)ACK(seq=m+1) (2) predict B s TCP seq. behavior (3) B X EXAMPLE: ARP POISONING 18

ARP Poisoning ARP = Address Resolution Protocol ARP is used by routers extensively to find the destination node. Routers have IP addresses (32-bits). In order to deliver the packet to the destination node, the router broadcasts the IP address of the destination and obtains the MAC address (48-bits). ARP Protocol 19

ARP Poisoning Hosts store the IP-to-MAC address mapping in the ARP table. ARP Poisoning means that the ARP communication is intercepted by redirection from a router. Example: Assume router s IP is 10.1.1.0 Host s IP is 10.1.1.1 Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to requests from 10.1.1.0 with its MAC address From this point on all packets meant for 10.1.1.1 is routed to 10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table 20

Spoofed ARP reply IP:10.0.0.2 MAC:cc:cc:cc:cc Spoofed ARP reply IP:10.0.0.2 MAC:cc:cc:cc:cc switch A IP:10.0.0.1 MAC:aa:aa:aa:aa B IP:10.0.0.2 MAC:bb:bb:bb:bb Hacker IP:10.0.0.3 MAC:cc:cc:cc:cc ARP cache IP MAC 10.0.0.2 bb:bb:bb:bb ARP cache IP MAC 10.0.0.1 aa:aa:aa:aa switch A IP:10.0.0.1 MAC:aa:aa:aa:aa B IP:10.0.0.2 MAC:bb:bb:bb:bb Hacker IP:10.0.0.3 MAC:cc:cc:cc:cc ARP cache IP MAC 10.0.0.2 cc:cc:cc:cc A s cache is poisoned ARP cache IP MAC 10.0.0.1 aa:aa:aa:aa 21

Defenses against ARP Spoofing No Universal defense. Use static ARP entries Cannot be updated Spoofed ARP replies are ignored. ARP table needs a static entry for each machine on the network. Large overhead Deploying these tables Keep the table up-to-date Someone point out that Windows still accepts spoofed ARP replies and updates the static entry with the forged MAC. Sabotaging the purpose of static routes. Port Security Also known as port binding or MAC Binding. A feature on some high-end switches. Prevents changes to the MAC tables of a switch. Unless manually performed by a network administrator. Not suitable for large networks and networks using DHCP. 22

Arpwatch A free UNIX program which listens for ARP replies on a network. Build a table of IP/MAC associations and store it in a file. When a MAC/IP pair changes (flip-flop), an email is sent to an administrator RARP (Reverse ARP) Requests the IP of a known MAC. Detect MAC cloning. Cloning can be detected, if multiple replies are received for a single RARP EXAMPLE: ICMP ATTACKS 23

ICMP Internet Control Message Protocol (IP management) Error handling and debugging protocol Not authenticated! Encapsulated inside an IP header Message types 40 assigned 255 possible about two dozen in use Basic ICMP Message Type 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 24

icmp echo request icmp echo reply ping icmp echo request to a broadcast address: from victim attacker victim icmp echo request from all hosts to victim smurf Smurf Attack Generate ping stream (ICMP echo request) to a network broadcast address with a spoofed source IP set to a victim host Every host on the ping target network will generate a ping reply (ICMP echo reply) stream, all towards the victim host Amplified ping reply stream can easily overwhelm the victim s network connection Fraggle and Pingpong exploit UDP in a similar way 25

Zombies Others: DDoS Using DNS Botnets increasingly used for amplified distributed reflective attacks Victim Attacker Large DNS TXT RR (1500+ bytes) DNS Request for Large TXT record UDP (~60 bytes) Amplified Distributed Reflective Attack Open Recursive DNS Servers (anyone can query) ICMP Redirect Attack ICMP message type 5 Really, you should send your packets to that gateway first, it will be faster Uh, OK, I ll send them there then if you say so Typically used as a scam to perpetrate man-inthe-middle attack or DoS Similar ideologically to ARP poisoning 26

ICMP Redirect Attack The attacker can forge ICMP redirect packet in order to Redirect traffic to himself T G1 ICMP redirect to AT AT H ICMP Redirect - Countermeasures YES - Disable the ICMP REDIRECT NO - Linux has the secure redirect options but it seems to be ineffective against this attack 27

SUMMARY Vulnerability A vulnerability (or security flaw) is a specific failure of the security controls Using the failure to violate the site security: exploiting the vulnerability; the person who does this: an attacker Defenders can also do this: vulnerability analysis (assessment), penetration testing Many tools exist such as Nessus, ISS Internet Scanner, SAINT 28

Vulnerability Analysis Even commonly, widely used TCP/IP protocols have vulnerabilities Very likely more in realistic, deployed applications, systems, networks Understanding the vulnerabilities can help us defend against attacks more effectively 29